Don’t hash secrets, HMAC them!
This is an old but incredibly useful article written by Ben Adida, currently director of engineering at Square, previously working at Mozilla.
The idea is that simply hashing + salting the secrets is not enough. You need to HMAC them (Hash-function Message Authentication Code). HMAC always uses a hashing function (like MD5, SHA1, etc), but this hashing function is not used to hash the secret alone.

If you know SHA1(secret || message), then you can compute SHA1(secret || message || ANYTHING)
You don’t need to know exactly how HMAC works, just like you don’t need to know exactly how SHA1 works. Under the hood, what’s approximately going on is two hashes, one after the other, with the secret combined after the first hash.
– Don’t hash secrets, HMAC them!

So in this case, if the supplied key takes up more than 64 bytes, then SHA1(key) is used as the key. More generally, for any chosen_password larger than 64 bytes, the following holds true (pseudo-code):

Takeaway? Don’t hash secrets, HMAC them. But make sure that the length of the secret is not larger than the block size of the hashing algorithm.
On the same line, maybe using passwords longer than 64 bytes is not such a good idea… 🙂

The previous post about Panini stickers got into some mathematical formulas. However, the 2 main conclusions were referring to the duplicates probability and distinct probability. That was the mathematical approach to the problem.
Below – the geeky one 🙂

1. Duplicates probability

In a Panini pack of 17 stickers (out of 192 possible stickers), there are 50% chances to have a duplicate.

The geeky way:
– generate a random array of ‘n’ integers in the range [1,192]
– calculate how many duplicates has the array
– repeat this a number of times to get a reliable view.